{"id":453,"date":"2011-10-15T23:42:28","date_gmt":"2011-10-15T23:42:28","guid":{"rendered":"http:\/\/41j.com\/blog\/?p=453"},"modified":"2011-10-15T23:54:31","modified_gmt":"2011-10-15T23:54:31","slug":"securitytube-wireless-lan-security-megaprimer-notes-parts-1-to-4","status":"publish","type":"post","link":"https:\/\/41j.com\/blog\/2011\/10\/securitytube-wireless-lan-security-megaprimer-notes-parts-1-to-4\/","title":{"rendered":"SecurityTube, Wireless Lan Security Megaprimer notes: parts 1 to 4"},"content":{"rendered":"

These are my notes on Parts 1 to 4 of the security tube wireless security videos here<\/a>.<\/p>\n

I’m using Backtrack verison 5 R1 whereas Vivek is using version 4. The only different so far is that mdk is on the path, so I can just type “mdk” to launch it.<\/p>\n

Part 1<\/h2>\n

This is the wireless device used in all the videos:<\/p>\n

Alfa Networks AWUS036H USB Wifi device<\/p>\n

* Integrated into Braktrack
\n* Allows for packet sniffing
\n* Allows for packet injection
\n* 1W output<\/p>\n

Will also need a AP, two laptops. Some smartphones may be interesting.<\/p>\n

Install Backtrack (tutorials use Backtrack 4R2).<\/p>\n

Attached the USB Wifi device and connect to VirtualBox if you’re using that.<\/p>\n

Part 2<\/h2>\n

0. Backtrack doesn’t startx, so type startx if you want it.<\/p>\n

1. Bring up the wifi card:<\/p>\n

\r\nifconfig wlan0 up\r\n<\/pre>\n
2. You need to create a monitor mode interface for monitoring:<\/p>\n
\r\nairmon-ng # without args shows cards\r\nairmon-ng start wlan0 # creates monitor interface\r\niwconfig # check that the card is in monitor mode\r\n<\/pre>\n
3. Load Wireshark (at a command prompt type “wireshark”).<\/p>\n
4. Start a capture, from the “Capture menu”: Capture->Interfaces->mon0 (start)
\n4.1 Note: Wireless card can only monitor one channel at a time.
\n4.2 Note: Different countries have different channels and allowed power levels.<\/p>\n
5. You can force card on to specific channel for example:<\/p>\n
\r\niwconfig wlan0 channel 1\r\n<\/pre>\n
6. Some tools can hop between channels showing traffic, for example airodump:<\/p>\n
\r\nairodump-ng --band bg mon0\r\n<\/pre>\n
Part 3: Beacon Frames<\/h2>\n
Three types of packets: Management, Control, Data (there are subtypes of these too)
\nYou can find a LOT of information here: 802.11 specs: http:\/\/standards.ieee.org\/about\/get\/802\/802.11.html<\/p>\n
Access points are configured with SSIDs. That’s a network name, used for discovery. SSID can be for one AP or multiple APs. To allow clients to find them access points broadcast “Beacon Frames”.<\/p>\n
1. Capturing Beacon frames with wireshark:<\/p>\n
\r\nifconfig wlan0 up      \r\nairmon-ng start wlan0\r\nwireshark&amp;amp;amp;\r\n<\/pre>\n
2. Examine the beacon frame. Select a beacon frame in wireshark.
\n2.1 Look at Management frame header.
\n2.2 Note that there are “Fixed parameters” and “Tagged parameters”
\n2.3 “Fixed Parameters”: Look in “Capabilities Information”, it tells you if it’s an AP or not.
\n2.4 “Tagged Parameters”: note you can see supported rates and the device channel. Possibly encryption information.<\/p>\n
3. Attackers can inject their own beacon frames! We’re going to show you how.<\/p>\n
3.1 We’ll use MDK to create beacon frames. Type the following to get info on mdk:<\/p>\n
\r\nmdk --help b # shows info about beacon flooding\r\n<\/pre>\n
To broadcast beacon frames, type the following:<\/p>\n
\r\nmdk3 mon0 -b -n PWNEDSSID\r\n<\/pre>\n
You should be able to see the network PWNEDSSID on other devices!<\/p>\n
Part 4: Dissecting AP-Client Connections<\/h2>\n
Note1: Vivek plays around a lot with wireshark filters in this video, some of it isn’t strictly required, but it gets you used to using filters.<\/p>\n
Note2: Make *SURE* you are filtering to\/from the correct MAC addresses. I found this partiuclarly important if you have a lot of Apple hardware around…<\/p>\n
0. Setup an open access, access point.<\/p>\n
1. We’re going to connect a smartphone or PC to this AP, so have a client ready.<\/p>\n
2. Make sure wifi is off on the smartphone\/PC.<\/p>\n
3. Set the channel of the Backtrack laptop wifi card to the same channel as the open access point, as follows:
\n3.1 As before, use airodump-ng mon0 to display the channel the AP is on.
\n3.2 As before, use iwconfig wlan0 channel  to change the card to that channel.<\/p>\n
4. Make a capture of the traffic using wireshark (as before).<\/p>\n
5. Filter for traffic not to\/from our access point and filter out beacon frames.
\n5.1 The filter will eventually read as (wlan.addr == ACCESSPOINTMAC) && !(wan.fc.type_subtype == 0x08)
\n5.2 You can build this filter by pointing and clicking in wireshark:
\n    Open a beacon frame, under “802.11 Beacon frame” right click on “Source address”, select “apply as filter”->Selected
\n    Edit the filter box change “wlan.sa” to “wlan.addr”.<\/p>\n
    Under “IEEE 802.11 Beacon frame” select “Type\/Subtype”. Right click, select “apply as filter”->”and not selected”<\/p>\n
6. Attach the client smartphone\/laptop to the network.<\/p>\n
7. Add another address to the filter. This is the client address.
\n   7.1 remove the && !(wan.fc.type_subtype == 0x08) portion of the filter.
\n   7.2 In the “IEEE 802.11” section of the packet select the MAC of the client and right click:
\n       “apply as filter”->”and selected”<\/p>\n
8. Remove the (wlan.addr == ACCESSPOINTMAC) part of the filter. Your filter should just read:
\n   (wlan.addr == CLIENTMAC), where CLIENTMAC is the mac address of your smartphone\/PC.<\/p>\n
9. Take a look at the packet trace in wireshark.
\n9.1 Find the first “Probe Request” from the smartphone\/PC.
\n9.2 Note that it’s a Broadcast packet.
\n9.3 Note that below that packet you can see a “Probe Response” coming from your access point.
\n9.4 Client may also send out “Probe Requests” to networks previously connected to.<\/p>\n
10. Add the access point mac to the filter. As before right click the access point address and select “apply as filter”->”add selected”.
\n    Change wlan.sa to wlan.addr.<\/p>\n
11. Scroll down a little, you should be able to find a packet labeled “Authentication” from your AP to the client.
\n11.1 Note that the Authentication packet from the client as “Authentication SEQ: 0x0001” and the reply has “SEQ: 0x0002”.<\/p>\n
12. Now we see the association packets.
\n12.1 Note that the client sends an “Association Request”
\n12.2 Note that the AP replies with an “Association Response”<\/p>\n
13. After that we should be able to see data packets, such as ARP requests etc.<\/p>\n
14. Vivek makes some interesting observations about the packet exchange, and wireless state machine:<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
These are my notes on Parts 1 to 4 of the security tube wireless security videos here. I’m using Backtrack verison 5 R1 whereas Vivek is using version 4. The only different so far is that mdk is on the path, so I can just type “mdk” to launch it. Part 1 This is the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[14,13,12,10,11],"class_list":["post-453","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-pentest","tag-security","tag-securitytube","tag-wifi","tag-wifiprimer"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-7j","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=453"}],"version-history":[{"count":5,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/453\/revisions"}],"predecessor-version":[{"id":459,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/453\/revisions\/459"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}